Confusion regarding output from Get-ADReplAccount

[Kurt-MT]

First time using hashcat, and am having difficulty getting it to work.

This command:

Get-ADReplAccount -All -Server dc1 | Format-Custom -View hashcatnt | Out-File -FilePath c:\temp\data.txt -Encoding ascii

yields output like this:

sum.dude:3ff966736c064feafdba792a0e02c099

I'm getting two error messages, depending on the commands used.
"Separator unmatched" from these commands
hashcat -m1100 -a0 --username ./data.txt ./rockyou.txt
hashcat -m2100 -a0 --username ./data.txt ./rockyou.txt
hashcat -m2100 -a0 ./data.txt ./rockyou.txt

"Token length exception" from this command
hashcat -m1100 -a0 ./data.txt ./rockyou.txt

I've verified that there are no spaces in data.txt. I copied the opened data.txt file in Notepad++, then pasted it into a vi document on my The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali) box.

So, questions:
1) Is the output from Get-ADReplAccount in DCCS or DCCS2 format (or something else)?
2) How do I massage the file to get it running?

Thanks,
Kurt

[lapsikmees]

Your hash looks like MD5. You need to remove useless stuff from hash for hashcat, look up for hash examples.

Also posting hash is not allowed...

[Snoopy]

first mask the hash

second, it seems your are dumping an NT hash (like in hashcatnt), so the mode your are looking for is -m1000

third, delete sum.dude: in front of the hash or use option --username

[Kurt-MT]

first mask the hash

second, it seems your are dumping an NT hash (like in hashcatnt), so the mode your are looking for is -m1000

third, delete sum.dude: in front of the hash or use option --username

I should have masked - but I did munge it, changing a few characters. Will mask next time, if needed.

I got it working by rebuilding the machine using ubuntu instead of The-Distribution-Which-Does-Not-Handle-OpenCL-Well (Kali), and using -m1000 and --username.

Also did a bit of searching and found how to get the username and password into a file.

One other question - I've searched a bit, but can't seem to find an explanation for output that shows a format of

$HEX[xxxxxxxxxx34303a29]

Would that be someone using upper ASCII/ALT-gray characters, or is it a glitch in the output, or something else?

Thanks for the help.

Kurt

[Snoopy]

This mostly happens when the cracked pass contains a : as this is used as seperator for hash:salt:pass. In your case use https://www.rapidtables.com/convert/numb...ascii.html for converting the data between the [] to get yor plaintext.

Funny, your posted last hex converts to -> 40:)
So thats why the output is converted to hex

[Snoopy]

Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values

[Kurt-MT]

Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values

Thanks for your help. I did finally find reference on the $HEX output. Likely, as noted in that article it's a bible quote.
https://sensepost.com/blog/2020/nthashes-and-encodings/

I'll do some more searching on how best to convert to en-US output.

Kurt

[Snoopy]

Just change some hashchars to XX to show people that this hash is masked, munge? is not visible when using possible hex values

Thanks for your help. I did finally find reference on the $HEX output. Likely, as noted in that article it's a bible quote.
https://sensepost.com/blog/2020/nthashes-and-encodings/

I'll do some more searching on how best to convert to en-US output.

Kurt

you can use an explizit outfile --outfile (see options) together with option --outfile-autohex-disable, this will result in an utf-8 formatted outfile where you can "see" the plain pw like John:10:10 or german umlauts like öäü, output in a potfile will allways use HEX[] when there is a : (and maybe other special chars) in the cracked password as this char/sign is used as seperator

[Kurt-MT]

This worked for me:
hashcat -m1000 -a0 --username ~/hashRepo/data.txt ~hashRepo/realuniq.lst -r ~/hashRepo/rule_them_all.rule
then:
hashcat -m1000 --username --potfile-path ~/.local/share/hashcat/hashcat.potfile --show -o ~/hashRepo/final --outfile-format 2 ~/hashRepo/data.txt

In 3 days, I recovered 305 of 795 hashes, and am trying again with -S -O -w 3 - my hardware is fairly weak, so that's going to take a long time.

Kurt

[Snoopy]

due to the fact, that it seems your dataset comes from an ActiveDirectory Controller or something similar

take a look at the passes you already cracked, AD comes mostly with some kind of password restrictions like lenght or used chars, when you get a good idea/guess of that password policy, you can modify your attack to be more effective